diff --git a/configuration/common/default.nix b/configuration/common/default.nix index 0c7b5c5..e0c17af 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -7,7 +7,6 @@ ./initrd.nix ./locale.nix ./networking.nix - ./nix.nix ./programs.nix ./ssh.nix ./systemd.nix diff --git a/configuration/common/nix.nix b/configuration/common/nix.nix deleted file mode 100644 index ef92e63..0000000 --- a/configuration/common/nix.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ lib, pkgs, ... }: - -{ - - clerie.nixfiles.enable = true; - - clerie.system-auto-upgrade.enable = true; - - nix.settings = { - trusted-users = [ "@wheel" "@guests" ]; - auto-optimise-store = true; - # Keep buildtime dependencies - keep-outputs = true; - # Build local, when caches are broken - fallback = true; - }; - - nix.gc = lib.mkDefault { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 30d"; - }; - - - nix.settings = { - experimental-features = [ - "flakes" - "nix-command" - ]; - substituters = [ - "https://nix-cache.clerie.de" - ]; - trusted-public-keys = [ - "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" - ]; - }; - - # Pin current nixpkgs channel and flake registry to the nixpkgs version - # the host got build with - nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ]; - nix.registry = { - "nixpkgs" = lib.mkForce { - from = { - type = "indirect"; - id = "nixpkgs"; - }; - to = { - type = "path"; - path = lib.cleanSource pkgs.path; - }; - exact = true; - }; - "templates" = { - from = { - type = "indirect"; - id = "templates"; - }; - to = { - type = "git"; - url = "https://git.clerie.de/clerie/flake-templates.git"; - }; - }; - }; - - documentation.doc.enable = false; - - environment.systemPackages = with pkgs; [ - nix-remove-result-links - ]; -} diff --git a/configuration/desktop/ssh.nix b/configuration/desktop/ssh.nix index 63deb0d..ca528bc 100644 --- a/configuration/desktop/ssh.nix +++ b/configuration/desktop/ssh.nix @@ -2,9 +2,8 @@ { - imports = [ - ../../configuration/gpg-ssh - ]; + profiles.clerie.gpg-ssh.enable = true; + programs.gnupg.agent = { pinentryPackage = pkgs.pinentry-gtk2; }; diff --git a/configuration/gpg-ssh/default.nix b/configuration/gpg-ssh/default.nix deleted file mode 100644 index 497c280..0000000 --- a/configuration/gpg-ssh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs, lib, ... }: - -let - - custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: { - configureFlags = prev.configureFlags ++ [ - # Make sure scdaemon never ever again tries to use its own ccid driver - "--disable-ccid-driver" - ]; - }); - -in { - - programs.gnupg.package = custom_gnupg; - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryPackage = lib.mkDefault pkgs.pinentry-curses; - }; - - environment.systemPackages = with pkgs; [ - custom_gnupg - yubikey-personalization - openpgp-card-tools - - # Add wrapper around ssh that takes the gnupg ssh-agent - # instead of gnome-keyring - ssh-gpg - ]; - - services.pcscd.enable = true; - - # pcscd sometimes breaks and seem to need a manual restart - # so we allow users to restart that service themself - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if ( - action.id == "org.freedesktop.systemd1.manage-units" - && action.lookup("unit") == "pcscd.service" - && action.lookup("verb") == "restart" - && subject.isInGroup("users") - ) { - return polkit.Result.YES; - } - }); - ''; - - services.udev.packages = with pkgs; [ - yubikey-personalization - ]; -} diff --git a/flake.lock b/flake.lock index cff961a..28f830d 100644 --- a/flake.lock +++ b/flake.lock @@ -532,6 +532,22 @@ "type": "github" } }, + "nixpkgs-carbon": { + "locked": { + "lastModified": 1751206202, + "narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=", + "owner": "clerie", + "repo": "nixpkgs", + "rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457", + "type": "github" + }, + "original": { + "owner": "clerie", + "ref": "clerie/always-setup-netdevs", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-regression": { "locked": { "lastModified": 1643052045, @@ -731,6 +747,7 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_5", "nixpkgs-0dc1c7": "nixpkgs-0dc1c7", + "nixpkgs-carbon": "nixpkgs-carbon", "nurausstieg": "nurausstieg", "rainbowrss": "rainbowrss", "scan-to-gpg": "scan-to-gpg", diff --git a/flake.nix b/flake.nix index 2a5d76c..1a6405f 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs"; # for etesync-dav nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; @@ -70,7 +71,6 @@ }; outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let lib = import ./lib inputs; - localNixpkgs = import ./flake/nixpkgs.nix inputs; in { clerie.hosts = { aluminium = { @@ -140,14 +140,17 @@ clerie-overrides = import ./pkgs/overrides/overlay.nix; }; + nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: + lib.mkNixpkgs { + inherit system; + } + ); + packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: - let - pkgs = localNixpkgs.${system}; - in nixpkgs.lib.genAttrs ( (builtins.attrNames (self.overlays.clerie-pkgs null null)) ++ (builtins.attrNames (self.overlays.clerie-overrides null null)) - ) (name: pkgs."${name}") + ) (name: self.nixpkgs."${system}"."${name}") ); inherit lib self; diff --git a/flake/nixosConfigurations.nix b/flake/nixosConfigurations.nix index 8f5f80d..bfcb483 100644 --- a/flake/nixosConfigurations.nix +++ b/flake/nixosConfigurations.nix @@ -10,8 +10,10 @@ let group ? null, modules ? [], }: let + localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; in self.lib.nixosSystem { system = system; + nixpkgs = localNixpkgs; modules = modules ++ [ ({ config, lib, ... }: { # Set hostname diff --git a/flake/nixpkgs.nix b/flake/nixpkgs.nix deleted file mode 100644 index 920fddc..0000000 --- a/flake/nixpkgs.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ self -, nixpkgs -, ... -}@inputs: - -let - mkNixpkgs = { system, ... }@args: - import nixpkgs { - inherit system; - overlays = [ - self.overlays.clerie-inputs - self.overlays.clerie-pkgs - self.overlays.clerie-build-support - self.overlays.clerie-overrides - ]; - }; - -in - nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; }) diff --git a/hosts/_iso/configuration.nix b/hosts/_iso/configuration.nix index 9d267aa..b5e54d5 100644 --- a/hosts/_iso/configuration.nix +++ b/hosts/_iso/configuration.nix @@ -3,9 +3,9 @@ { imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-base.nix") - ../../configuration/gpg-ssh ]; + profiles.clerie.gpg-ssh.enable = true; profiles.clerie.network-fallback-dhcp.enable = true; # systemd in initrd is broken with ISOs diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix index b0fc794..051f1d3 100644 --- a/hosts/carbon/configuration.nix +++ b/hosts/carbon/configuration.nix @@ -63,10 +63,10 @@ systemd.services.kea-dhcp4-server = { after = [ - "network-setup.service" + "network.target" ]; - requires = [ - "network-setup.service" + wants = [ + "network.target" ]; }; diff --git a/lib/default.nix b/lib/default.nix index 388a1df..1f9de63 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,6 +8,7 @@ let lib = { clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix; + mkNixpkgs = callLibs ./mkNixpkgs.nix; nixosSystem = callLibs ./nixosSystem.nix; }; diff --git a/lib/mkNixpkgs.nix b/lib/mkNixpkgs.nix new file mode 100644 index 0000000..a44aff9 --- /dev/null +++ b/lib/mkNixpkgs.nix @@ -0,0 +1,27 @@ +{ + inputs, + self, + ... +}: + +/* + + Loads a version of nixpkgs with nixfiles overlays loaded + +*/ +{ + system, + nixpkgs ? inputs.nixpkgs, + overlays ? [], + ... +}@args: + +import nixpkgs { + inherit system; + overlays = [ + self.overlays.clerie-inputs + self.overlays.clerie-pkgs + self.overlays.clerie-build-support + self.overlays.clerie-overrides + ] ++ overlays; +} diff --git a/lib/nixosSystem.nix b/lib/nixosSystem.nix index bac3eec..89ff0ec 100644 --- a/lib/nixosSystem.nix +++ b/lib/nixosSystem.nix @@ -12,16 +12,17 @@ */ { system ? null, + nixpkgs ? inputs.nixpkgs, pkgs ? null, modules ? [], ... }@args: -let - localNixpkgs = import ../flake/nixpkgs.nix inputs; -in inputs.nixpkgs.lib.nixosSystem ({ +nixpkgs.lib.nixosSystem ({ system = system; - pkgs = if pkgs != null then pkgs else localNixpkgs.${system}; + pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs { + inherit system nixpkgs; + }); modules = [ self.nixosModules.nixfilesInputs self.nixosModules.clerie @@ -38,4 +39,4 @@ in inputs.nixpkgs.lib.nixosSystem ({ }; }) ] ++ modules; -} // builtins.removeAttrs args [ "system" "pkgs" "modules" ] ) +} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] ) diff --git a/profiles/common-nix/default.nix b/profiles/common-nix/default.nix new file mode 100644 index 0000000..0a50688 --- /dev/null +++ b/profiles/common-nix/default.nix @@ -0,0 +1,88 @@ +{ lib, pkgs, config, ... }: + +with lib; + +let + + cfg = config.profiles.clerie.common-nix; + +in { + + options.profiles.clerie.common-nix = { + enable = mkEnableOption "Common nix config"; + useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // { + default = true; + }; + }; + + config = mkIf config.profiles.clerie.common-nix.enable { + + clerie.nixfiles.enable = true; + + clerie.system-auto-upgrade.enable = true; + + nix.settings = { + trusted-users = [ "@wheel" "@guests" ]; + auto-optimise-store = true; + # Keep buildtime dependencies + keep-outputs = true; + # Build local, when caches are broken + fallback = true; + }; + + nix.gc = lib.mkDefault { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + + nix.settings = { + experimental-features = [ + "flakes" + "nix-command" + ]; + substituters = if cfg.useClerieNixCache then [ + "https://nix-cache.clerie.de" + ] else []; + trusted-public-keys = if cfg.useClerieNixCache then [ + "nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g=" + ] else []; + }; + + # Pin current nixpkgs channel and flake registry to the nixpkgs version + # the host got build with + nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ]; + nix.registry = { + "nixpkgs" = lib.mkForce { + from = { + type = "indirect"; + id = "nixpkgs"; + }; + to = { + type = "path"; + path = lib.cleanSource pkgs.path; + }; + exact = true; + }; + "templates" = { + from = { + type = "indirect"; + id = "templates"; + }; + to = { + type = "git"; + url = "https://git.clerie.de/clerie/flake-templates.git"; + }; + }; + }; + + documentation.doc.enable = false; + + environment.systemPackages = with pkgs; [ + nix-remove-result-links + ]; + + }; + +} diff --git a/profiles/common/default.nix b/profiles/common/default.nix index f3ae5ba..868125b 100644 --- a/profiles/common/default.nix +++ b/profiles/common/default.nix @@ -13,6 +13,7 @@ with lib; profiles.clerie.common-dns.enable = mkDefault true; profiles.clerie.common-networking.enable = mkDefault true; + profiles.clerie.common-nix.enable = mkDefault true; profiles.clerie.common-webserver.enable = mkDefault true; diff --git a/profiles/default.nix b/profiles/default.nix index 6de6c14..b385ca1 100644 --- a/profiles/default.nix +++ b/profiles/default.nix @@ -6,11 +6,13 @@ ./common ./common-dns ./common-networking + ./common-nix ./common-webserver ./cybercluster-vm ./dn42-router ./fem-net ./firefox + ./gpg-ssh ./hetzner-cloud ./hydra-build-machine ./mercury-vm diff --git a/profiles/gpg-ssh/default.nix b/profiles/gpg-ssh/default.nix new file mode 100644 index 0000000..ba2da69 --- /dev/null +++ b/profiles/gpg-ssh/default.nix @@ -0,0 +1,64 @@ +{ pkgs, lib, config, ... }: + +with lib; + +let + + cfg = config.profiles.clerie.gpg-ssh; + + custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: { + configureFlags = prev.configureFlags ++ [ + # Make sure scdaemon never ever again tries to use its own ccid driver + "--disable-ccid-driver" + ]; + }); + +in { + + options.profiles.clerie.gpg-ssh = { + enable = mkEnableOption "SSH integration for GPG"; + }; + + config = mkIf config.profiles.clerie.gpg-ssh.enable { + + programs.gnupg.package = custom_gnupg; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = lib.mkDefault pkgs.pinentry-curses; + }; + + environment.systemPackages = with pkgs; [ + custom_gnupg + yubikey-personalization + openpgp-card-tools + + # Add wrapper around ssh that takes the gnupg ssh-agent + # instead of gnome-keyring + ssh-gpg + ]; + + services.pcscd.enable = true; + + # pcscd sometimes breaks and seem to need a manual restart + # so we allow users to restart that service themself + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + action.id == "org.freedesktop.systemd1.manage-units" + && action.lookup("unit") == "pcscd.service" + && action.lookup("verb") == "restart" + && subject.isInGroup("users") + ) { + return polkit.Result.YES; + } + }); + ''; + + services.udev.packages = with pkgs; [ + yubikey-personalization + ]; + + }; + +}